STEERDEV
platform sign-in build with us

privacy policy

last updated: April 2026

1. who we are

steerdev is operated by Pento Group LLC, a limited liability company organized under the laws of the State of Delaware, United States ("steerdev", "we", "us"). Pento Group LLC is the data controller for personal data processed through the Service and acts as the data processor for Customer Data you submit or connect.

this policy explains what we collect, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, the Brazilian Lei Geral de Proteção de Dados (LGPD), the California Consumer Privacy Act (CCPA), and other applicable frameworks.

2. information we collect

we collect four categories of information:

  • account data — name, work email, organization, role, authentication credentials, and billing details you provide when creating an account
  • customer content — specifications, tasks, prompts, agent instructions, and source code you connect or upload to the Service for context engineering and agent execution
  • derived artifacts — embeddings, vector representations, summaries, and intermediate outputs produced by the Service from your customer content
  • technical and usage data — IP address, browser and device information, session data, feature interactions, agent orchestration telemetry, and operational logs

3. how we process your code

3.1 why we ingest code

steerdev is an agent orchestration platform. to plan, route, and ground agent work in your codebase, we ingest connected source code, specifications, and related artifacts into per-customer vector stores. this enables retrieval-augmented generation (RAG), context engineering, and accurate agent execution. no other use is made of your code.

3.2 automated secret redaction

before code is embedded, persisted, or transmitted to any third-party inference provider, it passes through a server-side redaction layer that detects and strips recognizable API keys, access tokens, private keys, passwords, and other secrets. we treat inbound secrets as hazardous by default and remove them from the processing pipeline. you remain responsible for rotating any secret that was committed to a connected repository.

3.3 tenant isolation

each customer's embeddings and derived artifacts are stored in logically isolated vector spaces keyed to your organization. cross-tenant retrieval is prevented at the query layer. retrieval results are never used to ground another customer's agents.

3.4 zero training on your code or output

steerdev does not use your customer content, derived artifacts, agent prompts, or generated output to train, fine-tune, or improve any artificial intelligence or machine learning model. this applies universally, across all plan tiers. all model inference is executed through Amazon Bedrock under enterprise terms that contractually prohibit training on your data and require zero retention of prompt and completion content beyond the inference request.

3.5 ingestion retention

embeddings and derived artifacts are deleted within 30 days of (a) disconnecting the source repository, (b) deleting the workspace, or (c) terminating the account, except where a longer retention is required by law. you may request earlier deletion at any time.

4. how we use your information

we use the information described in section 2 to operate and improve the Service, authenticate users and secure accounts, coordinate agent workflows, communicate with you about your account and the Service, generate aggregated de-identified analytics, prevent abuse and meet legal obligations. we do not sell your personal data and we do not use it for cross-contextual behavioral advertising.

5. subprocessors

we rely on a small set of vetted subprocessors to provide the Service. each is bound by a written data processing agreement with confidentiality, security, and zero-training obligations at least as protective as those in this policy.

  • Amazon Web Services cloud hosting, model inference via Amazon Bedrock (including routing to foundation models such as Anthropic Claude), managed training (Amazon SageMaker), object storage (S3), key management (KMS)
  • Clerk user authentication, session management, SSO and SAML
  • PostHog product analytics and feature usage telemetry
  • Sentry error tracking and crash reporting

the live register, with data categories, regions, and legal basis, is maintained at /privacy/subprocessors. we provide at least 30 days' advance notice of any material change to this register.

6. credentials, tokens, and connected systems

when you connect a repository, issue tracker, or runtime environment, the Service requests the least-privileged scopes sufficient to perform the task. we prefer OAuth over long-lived personal access tokens, and we do not persist plaintext credentials outside encrypted secret storage. you may revoke any connected integration at any time from your workspace settings, and you remain responsible for the confidentiality of your own authentication credentials.

7. sharing and legal disclosure

we do not share your personal information with third parties except:

  • with subprocessors described in section 5, under binding data processing agreements
  • when required by law, regulation, subpoena, or valid legal process, and only to the extent strictly required
  • to protect rights and safety, where necessary to investigate fraud, abuse, or a security incident
  • with your explicit consent
  • in connection with a merger, acquisition, or financing, subject to equivalent confidentiality commitments

we will notify you of a law enforcement or governmental request for your data unless we are legally prohibited from doing so.

8. security

we implement industry-standard security measures, including encryption in transit (TLS 1.2+) and at rest (AES-256), per-tenant isolation of embeddings and customer data, role-based access controls, key management via AWS KMS, sandboxed execution environments for agent workloads, and continuous infrastructure monitoring. a fuller description of our controls, including agent safety guardrails and our compliance roadmap, is available at /privacy/trust. no system is perfectly secure, and we cannot guarantee absolute security.

9. data retention

we retain each category of data only for as long as we need it to deliver the Service, meet our legal obligations, and resolve disputes:

  • account metadata — retained for the life of the account and deleted within 90 days of account termination
  • code embeddings and derived artifacts — deleted within 30 days of repository disconnect, workspace deletion, or account termination
  • agent prompts and completions — retained for up to 13 months for debugging, abuse investigation, and product reliability, then deleted
  • operational logs — retained for up to 13 months
  • backups — retained on a rolling 90-day window and then overwritten
  • aggregated, de-identified data — may be retained indefinitely, since it cannot be linked back to any individual or customer

10. your rights

regardless of where you live, you have the right to:

  • access the personal data we hold about you
  • rectify inaccurate or incomplete personal data
  • erase your personal data and close your account
  • port your data in a structured, commonly used, machine-readable format
  • object to or restrict processing based on our legitimate interests
  • withdraw consent at any time where processing is based on consent
  • lodge a complaint with a supervisory authority — for the EU and UK, your national data protection authority; for Brazil, the Autoridade Nacional de Proteção de Dados (ANPD); for California, the California Privacy Protection Agency

to exercise any of these rights, contact us at steerdev@pento.ai. we will acknowledge your request within 5 business days and respond substantively within 30 days. we will not discriminate against you for exercising these rights.

11. international data transfers

Pento Group LLC is based in Delaware, United States, and operates the Service from US-based infrastructure and inference subprocessors, as disclosed at /privacy/subprocessors. if you are located in the European Economic Area, the United Kingdom, Switzerland, Brazil, or another jurisdiction with cross-border transfer restrictions, your personal data will be transferred to the United States to deliver the Service.

for transfers subject to GDPR Chapter V (or equivalent provisions under UK GDPR, the Swiss FADP, or Brazilian LGPD), we rely on a combination of (a) the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) executed with each relevant subprocessor, and (b) supplementary technical measures, including encryption in transit, encryption at rest, and the secret-redaction pipeline described in section 3.2. a copy of the relevant transfer mechanisms is available from steerdev@pento.ai.

12. cookies

we use essential cookies for authentication and session management, and analytics cookies to understand how the Service is used. we do not use advertising cookies, tracking pixels, or cross-site trackers. you can control cookie preferences through your browser settings or, where offered, through our in-product consent controls.

13. children's privacy

the Service is not directed to individuals under 16. we do not knowingly collect personal data from children. if we learn we have collected data from a child, we will delete it promptly.

14. changes to this policy

we may update this policy from time to time. we will notify you of material changes at least 30 days before they take effect, via email or through the Service. your continued use after the effective date constitutes acceptance of the updated policy.

15. contact

for privacy-related questions, data subject requests, or to reach our Data Protection Officer, contact us at privacy@steerdev.com. the controller of record is Pento Group LLC, Delaware, United States.